Security

G Suite has been built from the ground up to mitigate the unique threats for
cloud systems. Google’s standards for performance and reliability apply to
businesses, schools and government institutions around the world.

The technology, scale, and agility of our infrastructure bring unique
security benefits to our customers. Our vast network of data centers are
built with custom-designed servers, that run our own operating system for
security and performance. Because Google controls its entire hardware stack,
we are able to quickly respond to threats that may emerge.

Google employs more than 650 full-time professionals working to protect your
data, including some of the world’s foremost experts in computer security.
Just like all teams at Google, this team is constantly innovating and making
the future more secure, not just for Google’s billion users, but for business
organizations as well.

Google has an outstanding track record of protecting user data. We protect
this data from outside intrusions as well as insider threats. Our approach to
outside threat management is extensively documented here. In addition, we tightly restrict and monitor any
internal access to user data. The small set of employees with access is
subject to rigorous authentication measures, detailed logging, and activity
scanning to detect inappropriate access via log analysis.

It is this unique combination of people, technology and agility that ensure
your data is secure at Google. For more information, check out the G Suite Security Whitepaper.

Google undergoes several independent third-party audits on a regular basis.
These independent auditors examine the controls present in our data centers,
infrastructure, and operations. Examples of these audits and standards
include:

G Suite for Education can be used in compliance with laws and regulations
important to schools.

Is G Suite HIPAA compliant?

Many G Suite services are HIPAA compliant. G Suite customers who are subject
to HIPAA and wish to use G Suite with Protected Health Information (PHI) must
sign a Business Associate Agreement (BAA) with Google. We have
published our G Suite HIPAA Implementation Guide to help customers
understand how to organize data on Google services when handling PHI. This
guide is intended for employees in organizations who are responsible for
HIPAA implementation and compliance with G Suite. More
information on HIPAA compliance.

How does Google respond to government requests for data?

Respect for the privacy and security of data you store with Google underpins
our approach to producing data in response to legal requests. When we receive
such a request, our team reviews the request to make sure it satisfies legal
requirements and Google's policies. Generally speaking, for Google to produce
any data, the request must be made in writing, signed by an authorized
official of the requesting agency and issued under an appropriate law. If we
believe a request is overly broad, we'll seek to narrow it. For more
information, visit Google’s Transparency Report.

Does Google encrypt my data?

Core customer data that is uploaded or created in G Suite services is
encrypted at rest, as described in this help
center article.

This encryption happens as it is written to disk, without the customer having
to take any action. Google encrypts data with distinct encryption keys, even
if they belong to the same customer. Data is encrypted using 128-bit or
stronger Advanced Encryption Standard (AES).

Google encrypts core G Suite data while it is “in transit” as well, whether
it is traveling over the Internet between the customer and Google, or moving
within Google as it shifts from one data center to another. We encrypt this
data between Google and our customers using HTTPS with forward secrecy.

Do I need to use third-party tools to keep my data secure within Google?

Google offers the security features required for most customers directly in G
Suite. G Suite’s Business and Enterprise editions offer some additional
security features, such as advanced
Google Drive auditing and security keys management at scale. In all
editions, G Suite administrators have control over system configuration and
applications from within a single dashboard via our Admin console —regardless
of the size of the organization.

My organization is subject to EU data protection requirements. Can I use G
Suite?

Is G Suite FedRAMP compliant?

Yes. G Suite, G Suite for Education, G Suite for Nonprofits, G Suite for
Government, and Google App Engine have received a FedRAMP Authorization to Operate (ATO) at the
FIPS 199 moderate impact level from the U.S. federal government, such as PII
and Controlled Unclassified Information.

Federal Risk and Authorization Management Program (FedRAMP) is the required
cloud security compliance standard for U.S. federal agencies. It is a
government-wide program that helps agencies implement cloud-based technology
using a standardized approach to security, authorization, and monitoring.

Which Google services are ISO 27001 certified?

ISO 27001 is one of the most widely recognized, internationally accepted
independent security standards. This helps assure our customers that Google
is committed to ongoing development and maintenance of a robust Information
Security Management System (ISMS) and that an independent, third-party
auditor will regularly audit and certify. You can view a copy of our ISO
27001 certificate here. In addition to ISO 27001, Google undergoes multiple
independent third-party audits to provide additional transparency about our
security practices. Our audits are summarized in our summary compliance paper.